Going Contactless: You Can t Just Re-Card Anymore
September 15, 2016 | Author: Brandon McCarthy | Category: N/A
Short Description
1 Going Contactless: You Can t Just Re-Card Anymore Diane Brueggeman & Bryan Crase University of Cincinnati Todd Bro...
Description
Going Contactless: You Can’t “Just Re-Card” Anymore Diane Brueggeman & Bryan Crase University of Cincinnati Todd Brooks Color ID
You Can’t “Just Re-Card” Anymore Is a Contactless Card conversion on your radar?
• Decisions we made
• Processes followed • Lessons learned
It’s Complicated! University of Cincinnati (UC) Landscape • Stakeholders ○ Public Safety & Campus Services
Players • Public Safety ID production & door access • Bearcat Card* door access & POS • Cincinnati Metro Transit • Banking relationship • Others ○ Housing & Food ○ Parking ○ Rec Center
Why Convert to Contactless? New Hardware/Readers & ID’s = Better Security • Task Force
• ISO Comprised
• Security
• Migration path for future
• Mag-stripe is bad
• Contactless is cool!
We need to do something different, now what? But what technology? How does it work?
Contactless smart cards •
13.56 MHz “High Frequency” RFID Technology
•
Advanced security available – encryption
•
Additional memory, up to 16K bytes
•
Widely used for physical access, transit, payments
Card Encryption keys KEYS are like PASSWORDS that lock memory sectors on smart cards When cards are programmed for physical access, the application area on the card is locked with a key Contactless cards can have the manufacturer’s standard key, or a custom key unique to the institution Secure readers and cards usually have to be from the same manufacturer The reader holds the keys for the cards it will read HID
HID
Allegion
Allegion
Blackboard
Blackboard
Contactless card providers HID • • • •
iCLASS - 2003 “SIO” for iCLASS, MIFARE, MIFARE DESFire EV1 – 2012 SEOS, Bluetooth Mobile Access – 2014 Assa Abloy – Persona / Sargent Locks
Allegion • Originally XceedID, Ingersoll Rand, then spun off - 2013 • aptiQ: MIFARE, MIFARE DESFire EV1 • Schlage AD Series Locks Blackboard • FeliCa – 2008 • MIFARE, MIFARE DESFire EV1 - 2013
HID Secure Identity Object HID’s SIO – Secure Identity Object • Data can be anything – ID number for PACS, employee ID, ISO number • Loaded on cards by HID through AsureID software, or Over the Air (OTA) to mobile
• SIO is encrypted with AES, digitally signed, and bound to device • SIO data read at door by HID SE readers
SIO Provides added Security to Many Cards • iClass, Mifare, DESFire EV1, SEOS
SE Readers work with Cards and Mobile Access
Cards - Allegion aptiQ aptiQ Readers and Cards •
MIFARE Classic and MIFARE DESFire EV1
•
Pre-programmed by Allegion, using native NXP encryption
•
Custom encryption keys available
•
aptiQ cards work on Allegion readers and locks – AD series
Blackboard •
Blackboard readers for POS and physical access
•
Cards programmed inline during printing or at the desktop
•
MIFARE, DESFire EV1, FeliCa
How Did We Start? Received approval from VP
Secured Funding
Solicited Key Areas of the University
• Central IT, Info Security, PDC, Parking, Library, Purchasing, METRO, Communications, Medical Center, Branch Campuses, etc.
Formed a Large Committee
Things We Considered Technology
Type of Card ● ● ●
MI Fare DesFire EV1 Size of Card
Card creation for Re-Carding and beyond
Encoding HID, Blackboard, METRO
Pre-Vendor Demos
The Plan Researched Contactless Card Technology ● Information sessions with vendors
Created RFP ● Project Committee Formed ● Determined Technical Specifications ● Bearcat Card, Picture Perfect, METRO, Parking, future…
RFP Process ● ● ●
● ● ● ●
Published Responded to vendor questions Received seven responses Checked References Scored RFP responses Demos from top two responders/demo score Bid award
Student Card Design Contributions
• What We Chose & Why And the winner is… DesFire EV1
• Only card that met all of our needs • Vendor Color ID
• Card production by Color ID? • HID or Generic Card?
Printing on Site •
How does your day-to-day card operation work?
•
How long will my re-card take?
•
Do you need to hire temp workers?
•
Do you have the time and resources?
•
Wear and tear on printers
•
Consumable cost
•
Pressure on the Card Office
Pre-Printing •
More cost effective to have vendor pre-print
•
How many cards are needed for my re-carding?
•
When do I cut-off to send a file?
•
How much will customer information change?
•
What will I do with all these cards?
•
What if nobody shows up?
What Color ID Did for UC The UC conundrum
• Multiple credentials o HID, Blackboard, Metro o Parking o Production
o Encoding o Printing new ID o Resolving the wait time
Recard Process
• • • • • •
~65,000 Total Cards - 45,000 Personalized Used 6 - HDP5000 print stations Insures same card from ColorID or UC Separate Encoding Stations Press Proofs Triple Check Process
Programming cards inline HID writes data with AsureID software • Fargo Printer • CP1000 Desktop Encoder
Blackboard • Datacard Printer • MF4100
Cincinnati METRO Specification DESFire EV1 4K 14 Encryption Keys 23 Files (Data, Purses, CRCs, etc) Many Types of Products
• • • • •
Transfer Period Pass Stored Ride Stored Value Etc.
Parking Parking Systems • • • •
Typically in their own world Access control readers are weatherproof Wiegand interfaces to install access control readers for campus cards University 1000 format for Parking – T2 Systems testing
Card Issuance Dilemma • • •
• •
Picture Perfect Access Control Informix Database 6 Tables for ID Data (Reduced to 3) ISO Number Generation Process 1:Many relationships for card numbers and photos
Chuck Norris
Issuance / Encoding Solution •
Encode HID Credential at the desktop using CP1000 encoder and AsureID
•
Encode Blackboard Credential using MF4100 device
•
No Records need to be accessed for encoding
How We Made It Happen
Development
Testing
Implementation
How We Made It Happen Logistics, Logistics, Logistics • Card database cleanup • Which cards to pre-print • Order of groups to print o o o o o
CS/PS Staff Faculty/Staff, Affiliates Students (Main Campus & Branch) ELS Card distribution • Final cut-off for production data o As close to vendor printing as possible
A New Look Old university ID
Card Design • Student Design contest • Received input from students • Got the community involved!
Student Design Contest
UC Branding Approved Designs
Our Final Design NEW
Old
How We Made It Happen Logistics for 45,000 Cards ● Room configuration
● Organization of cards ● Layout of card storage
● Moving the cards daily ● Issuance
How We Made It Happen Re-Carding Events ● Activation of the cards upon issuance ● Feed to Public Safety
● Feed to PNC ● Feed to the Bearcat Card system
● UC systems updated
How We Made It Happen Re-Carding Events ● Where is my ID? ● That is not my title!
● What does the system say? ○ Experts on hand
○ Access to badge system
How We Made It Happen Being Flexible ● Special Distribution ○ Surgeons ○ Medical Students ○ Law Students
○ Branch Campuses (4)
How We Made It Happen • Marketing • Tweet from the Prez • E-blast ID events
• Face fo the Bearcat • New ID Web Site
How We Made It Happen Marketing Re-Carding Events
How We Made It Happen Marketing Re-Carding Events Your Bearcat Card does everything it always has...
and more!
How We Made It Happen New Bearcat Card Website Established www.uc.edu/ID
How We Made It Happen New Bearcat Card Website Established Prominent FAQ page featured on the site
How We Made It Happen New Bearcat Card Website Established
• Support Approach o Trouble report located directly at the bottom of the homepage
Card Distribution
Where We Are Today Public Safety Door Read Status
Bearcat Door Status
METRO
Assa Abloy Suite Doors
Rec Center
Parking
Micros POS
Lessons Learned COLORID •
White Space / Padding
•
Transit Encoding
•
Database Connections and Processes – Ask More Questions
•
Good Experience for Large Projects
Lessons Learned Distribution
• People showing up for an ID even if they never had one before • How many non-UC groups used our ID number • File cut-off timing could have been better • Need a number of willing staff to work the pick-up stations
Lessons Learned Recarding Overall
• Find the expert • Allow plenty of time for credential information exchange • Be Flexible
Questions?
View more...
Comments